WordPress 4.4.2 Patches Open Redirect, SSRF Flaws

The developers of the popular content management system WordPress announced on Tuesday the availability of version 4.4.2, a release that patches a couple of security issues and many functionality bugs.

WordPress 4.4.2 fixes an open redirection vulnerability reported by Shailesh Suthar and a server-side request forgery (SSRF) affecting certain local URIs. The SSRF flaw was responsibly disclosed to the WordPress team by Denmark-based developer Ronni Skansing.

The latest version of WordPress also addresses 17 bugs affecting versions 4.4 and 4.4.1. WordPress users are advised to update their installations as soon as possible.

Security firm Sucuri reported on Monday that it had observed a spike in WordPress website infections. Attackers have been injecting malicious code into all the .js files of a targeted website in an effort to display ads and make a profit.

Sucuri said it’s not easy for webmasters to clean up their websites because the attackers target all JavaScript files, and if there are multiple websites on the same hosting account, they get re-infected by each other via a technique known as cross-site contamination.

It’s unclear what method has been used by the hackers to compromise WordPress websites, but older versions of the CMS and its plugins are plagued by several vulnerabilities that can be exploited for this purpose.

For instance, WordPress released version 4.4.1 in January to address a cross-site scripting (XSS) vulnerability that developers said could allow malicious actors to compromise affected websites.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.